My name is Brendan O'Connor. There are three major takeaways from this talk I want you to remember.
Every single thing that we carry around in our bodies, whether that's the radio to talk to 303
or the iThings we all probably have somewhere, leaks way too much data. At every single level,
we as a community have forgotten that privacy, not just security, needs to be a goal. Whoopsie,
the goons are annoyed. Always. What did I do?
So, in fact, we want to change it up a bit. Raise your hand if this is your first DEF CON
attendee. You liars. All right. You. The man knows how to speak up. Get up on stage. That's
right. I've got to get somebody tall to do that. All right. The last guy, by the way, slammed it
immediately. So cool your jets. I want to introduce you to 2,500 of my closest friends.
All right. So please welcome the brand-new first-time speaker. Congratulations. And up yours.
Up yours.
Oh, my God. We have to make those smaller. We're doing this all afternoon, man. Anyway, thank you.
God, I love DEF CON.
Now the gentleman with the sideburns has left the stage. We've forgotten as a developer community
that it's not okay just to protect ourselves and to forget about protecting our users.
That is that we've spent years and years, many people on the stage have said we have to protect
ourselves more. The evil hacksaws, they are using all of our apps and pwning all of our boxes.
That's true. They have been. It's fun. But we've forgotten that it's also important to protect
the privacy and identity data of our users. And it's become somewhat in vogue to dump a huge
amount of data into unencrypted data streams that users don't even see or think about in order to ‑‑
I don't really know. It's quite odd, actually. I'll show you some examples.
Final takeaway, it's no longer possible to blend into the crowd. Every person in this room
has seen yet another horrifying action movie where when they're not doing a fire sale,
which apparently a cell phone can hook up to a satellite and reroute the encryption in order
to turn off whole power plants, someone is just going, oh, my God, the bad guy has gone
into a mall. We'll never find him. There are 10,000 people there. That doesn't work.
And it hasn't worked from the government's perspective for a while. It's been relatively easy.
Now it's not going to work for everybody in this room. If you can put together a small computer,
you, too, can track everyone in your local mall, steal their identities, find out what the most
important information in their lives is and then use it against them. And we need fundamental
changes to fix this at every single layer. We need both technical changes, but we also need
cultural ones. It's not okay to request too much data and then to store it. And I say this as
someone who's worked on software that's being used by millions of people every single day.
For financial transactions. We can't leak private data of our clients because our clients
are the ones under attack, not just us anymore. If we don't do this, we've lost the only thing
that we do better than our adversaries and the only reason anyone should ever trust a software
developer. So why are we doing this? Well, these guys have a lot of information on us, right?
Every single day. You walk through Rio, there's hundreds or thousands of these cameras. And I was just recently
told by my sister, who I thought I trained better, that really security is the government's area.
We shouldn't worry when the government does things to secure us because, after all, they're the
government and they know it best. This means two things. This means two things. One, a lot of people
actually believe this, which is a little terrifying. And two, I am a terrible brother. Not just because
I told you this, but because obviously I didn't educate my sister well enough while she was growing up.
And now she's a great big doctoral student and it's really a little bit too late.
Those of us in this room know that the government is not very good at securing things by means other than
throwing them in prison for very long amounts of time. But the government has a near monopoly on surveillance.
That's fine, right? The good guys have it. But that's not actually true.
When we look at, for instance, blue coat boxes found in a whole bunch of countries that are not the good guys,
we know that actually we're helping repressive governments. And hey, even after PRISM, even after every leak that's
come since the PRISM leaks, I'm still hearing, hey, well the NSA needs that. I'm sure that's okay, right?
It's okay as long as only the government can spy on us.
We hear a lot that sunlight is the best disinfectant. A recent study showed that cops wearing
sunglass cameras were 88% less likely to commit actions resulting in complaints and 60% less likely to use force at all.
When they did use force, those officers wearing these cameras were consistent in using the least amount of force possible in a situation.
This effect was not duplicated, shockingly, on those officers and their forces refusing to wear the cameras.
If we can see what's going on, if we can look back at our government, we have the opportunity to make sure it works as efficiently and safely as possible.
If not, we are subject to blackmail, extortion, and threats. See, for example, Aaron Schwartz.
So we need sunlight, but we need sunlight quickly. We don't have time to wait for a new dawn.
Anybody know what this photo actually is? What is it?
It's a nuclear test.
It's the largest nuclear test ever detonated. It's Tsar Bomba.
We need to blow up this situation to make it clear to every single developer at every single layer that this is no longer an acceptable use of our private information.
So I get called a stalker. Not this stalker. This is apparently an adorable kitten that is called stalker.
I get called this kind of stalker. But we all do creepy work in this room.
And we do it because the only way to raise the issue of creeping surveillance and loss of privacy is to make it clear that anyone, not just the good guys such as they are,
can use this technology for good or evil.
CreepyDoll is a distributed sensor network that combines wireless sniffing, distributed command and control, 3D visualization, and grenade-style encryption
to do real-time personnel tracking and true identity theft on a major urban area in real time for almost no cost.
It is stalking as a service. That's what we're here today to see.
There's one complication, though, and that's Weave or Andrew Orenheimer.
The United States government has declared a holy war against legitimate security research.
And some of us think that's probably not a good idea.
A lot of people in this room don't like Weave very much because he's a troll and he did horrible things and said horrible things about nice people.
But it doesn't matter.
The thing about criminal law is we don't get multiple bites of this apple.
Mighty Casey gets three strikes to strike out.
We get one in the Third Circuit and it's pending already.
We need to take actions to protect Weave and legitimate security researchers,
even when they seem like terrible people, not for them, but for all of us.
If everyone in this room isn't going to be in prison by this time next year,
we need to start hoping that Weave wins this appeal.
Because otherwise, hey, that was only in New Jersey, right?
Except that Weave was in Arkansas.
They dragged them to New Jersey because they thought they'd get a more favorable hearing.
And they were right.
Every internet connection goes through every place in the United States.
So if we're not going to end up in prison, we better defend Weave.
And this affects the way that I do this research.
But first as a side note, I wrote this amicus brief in conjunction with all the people on this list
and Alex Munz down at the bottom, a great hacker lawyer.
Thirteen big security researchers, a lot of people in this room or at this conference,
Dan Kaminski, Matthew Green, professor at Hopkins,
Sergey Bratis, a professor at Dartmouth, Jericho, Space Rogue, and Mudge.
These are people you've heard of.
They're people whose work you should be supporting, even if you think you don't like Weave.
This affects every one of us, whether we're DARPA program managers, professors,
or itinerant hackers.
And in the meantime, we have a chilling effect because we cannot trust legal actions to not be prosecuted anyway.
Therefore, CreepyDoll has not been tested on a whole city.
Because even though every court in the United States has consistently said that wireless sniffing is A-OK,
it's the same as sitting in a coffee shop and hearing the guy next to you talk too loudly on his cell phone
about raising his next round of venture capital funding, which happens way too often,
we can't rely as a community on the government not prosecuting hackers for legal actions.
I leave the next step of world domination to a braver researcher.
Since I'm a law student, we have an extremely serious disclaimer.
One more second to let you all read it, or get enough.
This disclaimer is not intended to be ironic.
So let's talk about DARPA's cyber fast track.
CreepyDoll is not CFT work.
I've had to make this extremely clear to a few people.
DARPA tries very hard not to build stuff that creeps people out,
because they've had a bit of a PR problem in the last couple decades.
But two CFT contracts did let me build two of the core systems.
The reticle system, which is the distributed command and control layer,
and the visualization system, for reasons that are not likely to become clear at the moment, called NOM.
So thanks, Mudge, if he's here.
And wear those green t-shirts with his face on them with pride.
This is the brief roadmap.
First, let's talk about the goals we have for this project.
First, we want to see how much we can extract from passive-only wireless.
That means I don't want to do man-in-the-middle.
Partially because I don't want to go to the bad kind of federal prison,
but partially because design constraints help us become creative.
And it turns out that doing the active attacks, like the pineapple jessica attack, aren't necessary.
We can do this without them.
As soon as a device turns on that has wireless,
it sends out a list of their known networks,
all of their known networks, for years in the past sometimes,
every couple seconds,
even when it's connected to a known network.
As soon as a device thinks it's connected to Wi-Fi,
all of its background sync services will kick off again.
That means Dropbox, that means iMessage, everything.
And a lot of those, as they're establishing the SSL connections,
we get a lot of cool data from.
And because we're sensing in places like coffee shops that have public Wi-Fi,
that means we get a lot of cool data pretty often.
Over unencrypted Wi-Fi, all the data sent by a device is of course exposed,
that's what we mean by unencrypted,
which means that we can see everything they're talking about.
Sometimes they're talking over SSL,
which means that the core data is in theory encrypted.
But it turns out that, again, lazy developers, that is us,
have been leaking all of this cool data outside the SSL envelope,
and I don't know why.
But especially as they set it up,
or as we look at things outside the envelope,
we're going to see a lot of neat data.
And the cool part about this is,
because we have a really awesome primary key,
we can just sit and wait.
So maybe you make one small identity mistake in one cafe,
maybe halfway around the world,
as long as I'm in multiple places with my little boxes,
I drop another box,
and maybe you make another small identity mistake,
and I start to build up a profile of who you are,
where you are, because I distribute them,
and I know that, hey, Wi-Fi's not that long range,
so if I can hear you, you're probably almost on top of me.
And then finally, once we get one,
out of 10 to 100 sensors spread out of an area,
we have time and place analysis.
That means I know your patterns,
I know your practice,
I know what things are important to you,
and if I really want to blackmail you,
I will eventually find whatever it is that's most important to you
and that you most don't want exposed.
This is what we mean when we say knowledge is power, right?
Pretty sure that's what I learned in school.
Our second goal is large-scale sensing
without any centralized communications.
It's really easy to just say, for instance,
I'll go to Verizon and buy 10 USB sticks.
The problem is that is twofold.
One of them is that it's really, really expensive.
And these days I'm a law student,
and when you go to your law school and you say,
hello there, I would like to apply for a grant for my research.
Ah, yes, what is your research?
Oh, I'm doing distributed sensor networks so that I can spy on people.
They back away slowly and then call your dean.
My dean is a wonderful woman.
I will do the favor of not mentioning her name on stage.
But suffice it to say, they're not going to fund my work anytime soon.
So it needs to be cheaper than just buying Verizon.
The other reason we're not going to do Verizon or any other cell provider
is that it provides the bad man with guns, my standard adversary,
a way to figure out who I am.
They simply pick up a box, read the ID off the back of the device,
and say, ah, yes, Verizon.
Dear Verizon, who has this device?
We would like very much to throw him in Guantanamo.
Signed, the United States government.
The major telecom providers all have whole offices
dedicated to responding to exactly this kind of query.
So we're not going to have any centralized communications at all,
so that they can't track us,
and also so that there's not one single point of failure.
If you saw the botnet talk yesterday,
you know that all the good botnets these days
don't have a single point of control.
They work a lot like reticle does.
Finally, we have a third goal, which is intelligibility.
The NSA slides make Tufte cry.
It's a very sad thing.
What we want is intelligibility on this large-scale sensor data,
so we can prove to people, this is a problem.
It's the difference between writing a zero-day
and writing a zero-day in Metasploit.
When every script kitty sitting down in the basement
can stalk his entire city,
maybe we'll see some improvement on this issue.
In the meantime, we're not.
Let's talk a little bit about background, just a couple slides.
One, I'd like to pour one out for all the academic
sensor network people everywhere.
This works kind of like a sensor network, but not exactly,
because mostly sensor networks are these ultra-low-power,
beautiful little devices.
They work exquisitely.
They do wonderful research with them.
I'm very sorry for hitting that mic.
And they sacrifice everything else to get there.
They work in horrible languages like Nessie,
which if you've never heard of it, look it up.
It's terrifying.
But they especially sacrifice cost.
Academic sensors cost upwards of $600 a piece each.
So that's not good.
I want something that I can write in a real language
that preferably runs Linux.
Debian would be nice.
And I want it at least an order of magnitude cheaper.
And also background large-scale surveillance.
I swear my outline back in March for this talk
said that one can assume that the intelligence community
has solved all of the problems involved in CreepyDoll before me
and that they should rightfully be cited as prior art,
which I'll be happy to do as soon as they publish their results.
So thank you, Edward Stoden.
You have made it possible for me to give proper academic-style
due credit to the people who most deserve it.
And pour one out for the poor guys at the NSA,
because a lot of this stuff is really hard
and there's a lot of little fiddly bits.
There's a lot of bugs you have to work on.
So let's talk about the CreepyDoll architecture.
First, hardware.
This is FBOM version 1.
FBOM stands for the Folly and Ballistically Launched Object
that Makes Back Doors.
It's a terribly tortured acronym
because I used to work for DARPA
and they love terribly tortured acronyms.
I originally presented this at ShmooCon 2012.
At the time this was based on the Marvell Shiva board,
the same thing that is inside the Pony plug.
But this board actually comes out of a thing called a Pogo plug
because Pogo plug decided they could charge
an extra 50 bucks off the dev board
if they put it in a pink case.
When that business model failed,
I could buy hundreds of the things on Amazon for 25 bucks,
a quarter of the cost of the dev board.
So that was very nice.
I'd like to thank Pogo plug for their contributions to my research.
The other thing is that it fits inside a carbon monoxide detector.
How many of you guys have recently checked
your carbon monoxide detector to make sure
they weren't working for me?
And this is the old version.
It's as big for the F-bomb version 1
as it is for the F-bomb version 2.
That's a business card for scale,
or if you can look at my hand and see it.
This little box holds a whole lot of good hardware.
It holds a Raspberry Pi model A,
for those of you into those such things,
because every hacker needs a Raspberry Pi,
or 10 of them.
I actually would like to apologize
to the Raspberry Pi enthusiasts.
I actually bought 10% of the US supply
of the first round of model A's
because I didn't know they were only going to bring
100 in the United States.
I think I really screwed up a few business models there.
There's a cheap plastic case,
which is literally just a cheap plastic case.
There are two tiny Wi-Fi dongles.
There's a small SIM card.
There's a USB hub.
And there's one of those awesome power adapters
you can get on eBay for about $3
that look like Apple power adapters
but occasionally electrocute people.
This just happened last week.
And Apple released a thing saying
only buy original Apple.
Thanks guys, but they cost $25.
So $3 is better, and hey,
I plugged them into other people's apartments, right?
That's the idea.
So why two Wi-Fi?
Well, it's because again, I don't want to bring
centralized communications.
So instead I'm going to use all of your centralized communications.
We connect to local Wi-Fi.
But Brendan, in this magical place where you live,
is there municipal Wi-Fi that actually works?
No.
There's municipal Wi-Fi that doesn't work,
which is kind of typical.
There's a lot of coffee shops and bars.
Every random dive bar has Wi-Fi now in Madison.
It's a wonderful thing.
A lot of those have captive portal agreements, though.
And captive portal agreements
make your embedded code sad.
So I wrote a library called Portal Smash.
It clicks on buttons so that you don't have to.
It's available on GitHub right now.
GitHub.com slash ussjoin slash portalsmash.
And again, thank you, DARPA.
Let's talk about the middleware now.
We're building from the bottom up.
We've talked about hardware.
Now we're going to talk about the middle layer,
called Redical.
Redical is a leaderless command and control software
designed to work a lot like botnets.
This was the first of the two DARPA CFT contracts I mentioned.
I made a whole presentation on this last year
at B-Sides Las Vegas,
but I'll briefly summarize.
Because there has been a full rewrite since then.
It still works the same way,
but there's not nearly so many swear words in it.
And occasionally it doesn't break because my cat
stepped on my keyboard.
Each Redical node runs CouchDB, which is a NoSQL database,
which works very nicely,
plus Nginx, Tor,
and some custom simple management software,
a couple Ruby scripts in essence.
And all of this is open source.
This lets nodes combine into what I call a contagion network.
Somewhat different than a normal peer-to-peer network
because it lets nodes exchange data to every other node.
It doesn't let them send it to individual nodes.
This means that we can do data exfiltration
as quickly as possible to as many nodes as possible
in the hope that we get the data out
before the bad men with guns shoot the box.
To make reverse engineering of a node
much more difficult,
let's use what I call grenade-style encryption.
It means pretty much what it sounds like.
You boot a node with a USB key
that contains the full-disk encryption key.
It reads the key, stores it in volatile memory only.
Then you pull the pin out
and you throw it at your adversary.
Preferably not at their head.
Once you've done that,
unless somebody actually runs Coldboot on it,
then you're pretty good.
If you pull it out from power,
you lose the encryption keys.
As for Coldboot, well, here's the thing.
How many people dump liquid nitrogen
in the box they find in their house?
There's one guy, two people
dump liquid nitrogen on everything.
I would love your house.
For the rest of you, as soon as we've gotten
every person in society to dump liquid nitrogen
on everything in their house,
we have one and we can all go to 303's party.
CreepyDoll is just a mission that Redicle runs.
They all talk to each other over Tor
hidden services,
and as mentioned before,
they all do this contagion network thing.
So as soon as the data gets to one place,
So let's talk about the design of CreepyDoll.
It's a creepy doll, right?
It should be fairly simple.
One underlying principle is we're going to do
as much computation as possible
on the edges of the networks,
that is, on these little boxes.
They're not very powerful, but they're not bad.
They've got 256 RAM, we don't need that much
for CouchDB, they work fairly efficiently.
And the reason we do that is to be nice to Tor.
Tor, for those of you who don't know,
is usually overloaded.
Please go donate money to those who run more
So we don't want to send whole PCAPs home,
partially because it's rooted to Tor,
and partially because we're taking coffee shop's bandwidth
and the guy who's trying to download Waris in the corner
because no one will track him in a coffee shop
will get annoyed at us.
So we're going to do distributed querying for distributed data.
We process all of the data on the nodes,
the PCAPs we save,
we get as much actionable intelligence out of them
as possible, and we just send that home.
We never send the PCAPs home.
We then do centralized querying for centralized questions.
This is where we can do
really awesome types of questions.
Like, where do you usually go for coffee
at 8 o'clock in the morning?
Or for those of us in this room,
where do you usually go for coffee at about 3 o'clock in the afternoon
once you've dragged your butt out of bed?
We do these things on the centralized node
because even though the distributed nodes
have a lot of distributed data,
they don't have a lot of hard drive storage.
They only have 8 gigs a piece.
So we want to be able to do the long-term
data mining type queries back home.
And what we do is we pull the data out of the grid
as fast as possible.
We delete it, free up hard drive space,
and then we have a centralized point of visualization only.
It's not the command and control networks,
it's just the place we plug our Xbox into.
And I'm serious about the Xbox thing.
We'll talk in a minute.
The way we extract this actionable intelligence
is called NOM, for nosiness, organization,
and mining, and because it's hilarious.
Let's talk first about O,
the observation filters.
Observation filters are the stupidest
possible filters, and they're per application.
That means that they take in a PCAP
and they say, okay, this PCAP
is from Dropbox.
Flip to the Dropbox filter.
Okay, from Dropbox we can extract the fact,
oh, we can only extract that they use Dropbox.
That's something good to know.
There's another filter that
processes Apple iMessage.
Look at the last line of this.
This is obviously just a screenshot from Wireshark.
There's a lot more data there than they should
be having outside the nice little TLS
encryption thing, right?
I know exactly what version of iPad I have,
which luckily I knew, but if you didn't,
that would be useful.
This is the latest version,
which if it's not the newest version,
means you know exactly which vulnerabilities
it has and how to exploit it remotely.
And in case I wasn't sure enough,
I've got the exact build number as well.
In addition to the fact that they're using iMessage.
That's a lot of data immediately, right?
And this is from one service.
Observation filters are per service.
So I've written about ten of them.
They take about five minutes each.
It's not very hard.
Just look for anything outside the envelope.
And the idea is that we build up little tiny bits
and test them over time in the CouchDB
into one
summarized identity.
So we get a little bit from iMessage.
We get a little bit from Dropbox.
We get a little bit from your feed reader.
How many of you guys still use a feed reader
after Google Reader collapsed?
About a third of you, a quarter of you.
How many of you guys actually watched the stuff
over the wire to make sure it was as secure
as Google Reader?
Nobody. Yeah, turns out a lot of the ones
that I actually personally switched to
and the ones I still use
transmit everything in the clear.
And weirdly, they transmit my real name
and my email address in the clear.
In addition to an authentication cookie
because they've never heard of FireSheep.
Because a lot of this stuff got spun up
really, really fast as Google Reader was dying.
Which means we can get a lot of data.
We can get even funnier data, though,
out of your online dating profile.
And you all have one.
And you are disgusting.
So back to the NOM filters.
Two other things in NOM, right?
Mining filters.
Nosiness take little bits of data
and they submit it to things like
online directory services that look for
every account with that username.
That email address, usually.
So you can submit it to a service
it checks the forgot password forms
of 200 different websites
and even though we've been screaming about
the forgot password vulnerability for years
they still respond differently if you have an account.
So now I know every service where you use.
And of course, if I were a criminal,
a terrible person, I could then break into those services
Turns out I can do even funnier things
and still be more or less within the law.
Finally, there's mining nodes.
And this is where we do the big data.
We only run that M type queries in the back end.
This is where we start doing pattern and practice.
And I mentioned before, where do they go for coffee
and do they go for coffee every day?
That's one thing. We can do cooler things.
For instance, if I see one device
that moves around a city, I see it everywhere.
It goes here, it goes yawn.
That's great.
What if I see another device that only exists
sometimes.
It's in the same location
as the first device that I saw.
So what happens is the first device goes
somewhere, it stops moving,
a second device suddenly turns on,
works for a while, then the device turns off
and I don't see it again, and then the device moves out.
That's what we call a laptop
being used by somebody with a mobile phone.
Once I've seen that for a little while,
a little bit of data mining, a little bit of fuzzy math,
suddenly I've got one profile instead of two.
So even if you thought,
oh hey, my mobile phone is trackable
but I only do my creepy OkCupid stuff,
on my laptop, where I get really freaky,
that's okay, right?
Because Brendan will never see me.
Wrong-o. Now I know it's all you,
and I've seen the shops you go to,
and I for one am terrified.
I didn't know you could buy them that big.
This is the creepy doll architecture,
pretty much as I've described.
You can see on the left hand side of the screens,
a few different nodes.
They're all connected to every other node
is the basic idea.
They go to one node which I mentioned before,
the sync node.
But it's not usually encased in one of these boxes.
I usually run it in a virtual machine.
Its job in life is to pull data off of the wire
and send the delete commands
to free up the hard drive space on all the other nodes.
And then store it into another storage mechanism.
I have two different storages
that I use in tandem.
One is called Shark,
and Shark is actually
an all-in-memory derivative
of the Hadoop Hive project.
Which means that I can store really big things,
like when I had 600 gigabytes of packet captures,
I could throw them in Shark
and keep queries on them.
I store the rest of the stuff in CouchDB,
which lets me run really fast queries.
I combine them together using a Ruby script
written in Sinatra,
which is just a Ruby, very simple web server,
which does translation from the completely
ridiculous Shark format
into a much saner JSON format.
Finally, I run them into a visualization.
And you can see down in parentheses there,
if you see it, it's running Unity.
That's right, I built a video game.
It's my first video game, so it's not very pretty.
But all of my little space aliens
are real people, which makes it much happier.
Finally, I pull data.
Because I'm getting GPS location,
I might as well pull data from CloudBait,
a nice OpenStreetMaps provider.
So let's talk about this visualization.
It's the second DARPA CFT contract.
It's also called NOM.
It's a whole other thing.
Use the Unity game engine.
Two notes. One, that's a great toy.
If you've never played with a game engine,
Unity is actually free for indie developers.
So go ahead and try it.
It's really cool what you can learn.
And compiled into the .NET common language runtime
with a bunch of C sharp and interpreted at runtime
by mono on an iPhone
is a horrible debugging platform.
Oh my god.
You've never seen where JavaScript errors
until you've seen them as interpreted
by four other languages in the middle.
But the advantage is,
it works really well at the end of the day.
The guys at Unity really know their stuff.
And this is the cool part about using prewritten game engines.
If you've ever tried to write your own visualization,
you spend three months trying to draw
a box on the screen in the right place
and then you spend the extra two weeks
before your DEF CON talk going,
crap, now what do I do?
If you do this, everything just works.
You just say, put this here.
And it works really well.
You've got one simple translation
between latitude and longitude
and your internal world coordinates.
And then it runs on an iPad, which I love,
or it runs on Windows, Linux, Android,
Wii, or Xbox 360.
I've never written a security tool for Xbox 360
that could pass the developer certification,
Part of the side effect of this is you said,
oh, wait, Brendan, you said 600 gigs of data.
How do you hold that on an Xbox 360?
I don't.
That's why we have the servers that I mentioned
in the last slide.
They do all the heavy query lifting
so that you can just run this on an iPad
and don't have to do any of the heavy processing.
They talk to each other, because I love irony,
over unencrypted HTTP.
So we're going to have a demo video
and you can watch closely,
you can almost see the creepy take place in real time.
Before we do that, as I was saying,
we have test parameters.
Remember Weave? Remember how we're all terrified?
If we're not terrified, you're not paying attention.
So we can't spy on everybody in the city,
which I hate.
This doesn't mean we can't do valid testing,
but if we just stalk me,
if I stalk myself, in essence,
what this means is we only get to see me.
So you're going to see a lot of dots on the next screen
that represent me in different places.
Imagine if instead there were 100,000 dots
and I've tested up to that many nodes
using generated data or data out of academic sources
it works incredibly well
and it scales incredibly effectively.
So we never collected any random stranger
at any time, because even though it's apparently
legal, we can't be sure
of anything anymore until somebody's
smacked down the third circuit.
So let's watch it. First video powered by Unity.
I'm sure this is not the press release
they were expecting to see.
And it should be running here. I hope it's running.
It's not running on my screen.
Is it running? Okay, so you're going to see a few things
but I'm not going to say them exactly in time.
First you'll see the dot move around the map.
Then you'll see OpenStreetMaps load.
You're going to see me zooming in and zooming out.
Basically it works like StarCraft.
Then you'll see I draw a box zoom across it
again just like StarCraft and that zooms
the data in and zooms the map in.
You can hover over different nodes
to see just how many times I saw them
or how many nodes are in about the same room at the same time
and their MAC addresses.
At the end, and please tell me when this happens,
you can click on one node and then
you see everything in the world.
.
So yeah, real name and email address
from a Google feed replacement, I should say.
It's not from Google Reader's fault.
Photo from an online dating site
whose name we're not going to say
because I've heard they have angry lawyers
even though they haven't heard of Firesheep.
All the rest of the data
from all the rest of the different sources.
You can see that they use iMessage
so we know what kind of device this was.
You can see that they use Login
which is a commercial, basically it's a replacement
for every screen sharing site.
And we have all this great data.
We even have the Weather app
which helpfully transmits in the clear
exactly what location the iPad thinks it is
so I can make sure that my sensors are appropriately placed.
They're actually helping me calibrate
my own network. It's awesome!
So let's talk about future work.
Well the first thing is, what other applications
could we do besides being decidedly creepy, Brendan?
Well, one,
we can do counter infiltration.
Those of you who participated or even read the news
about the Occupy Wall Street and Occupy Everything Else
movements, have noticed that
a lot of times a mysterious stranger
slips into a group, then
suddenly somebody throws a rock
and then the mysterious stranger is gone.
It's amazing how effectively this works.
You can use CreepyDoll for counter infiltration
though, because you just set an alarm.
Say, hey, if anybody new shows up in this area,
scream bloody murder. So whenever the
bloody murder, bloody murder alarm goes off,
everybody knows, look for the one guy with the
blackberry. He's the fed.
You can also use this, with apologies to the
grug, for operational security training.
You can say, well,
hey, if I throw these over a whole network
and I just look for devices that I know my agents
are carrying, how much data are they leaking?
How terrified should I be?
Here's a hint, really terrified.
And you don't need to control
what every network and agent access is.
If you're a corporation with a very loose sense
of ethics, who wants to make absolutely
sure that when your employees go home
they're not leaking trade secrets, just spread
these over the whole town where they live.
You'll make sure that every time one of them connects
to get their email or to send your trade secrets off
to a competitor, you too will know it.
So we'll have actual operational security
through the complete and total invasion
of privacy.
The thing is, this is the trade-off
that we've suddenly come to live with.
And I'm not sure why we've done this.
We've just accepted that we have
no choice in the matter, that our devices are going
to continue to leak increasing amounts of data,
that Mark Zuckerberg is going to be able to go on
CNN and say, well, privacy is dead.
I don't know why anyone would want privacy.
Here's the reason we want privacy.
We want privacy so that I don't
want you going into, for instance,
a bar, a singles bar, that your
wife doesn't know about.
Not just because, oh my god,
you cheated on your wife, but because if I stalk
a whole area, let's say, for instance, since I live
six blocks from the state capital,
I stalk a couple blocks around the state capital,
I don't need any particular
person to do anything wrong.
I just need one person to do something wrong.
And then I get maybe a small change
to a bill.
People have been doing this for a very long time.
This is what we call surveillance and creepiness.
Here's the difference.
I'd have to pay a whole team of surveillance
agents 24 hours a day
to watch Senator so-and-so until
he does something really stupid.
I can throw a few of these around
and they're $57 a piece.
So for the cost of a really expensive dinner
here, actually kind of a medium expensive dinner
here in Vegas, I can throw
10 or 20 of these things around and
just find the first person with a weak
wallet, a weird sex life,
or just something they don't want everyone
in the world to know.
Except for Anthony Weiner because apparently he's invulnerable.
Everybody else, however,
is going to have an issue.
You can also use this for evidence logging.
Any kind of fast-moving scenario like protests and rallies.
There's a real problem with the accidental
destruction of electronic evidence
during crackdowns.
It's very hard to know who is in a kettle
when the cops lock you all in and then eventually take you off.
It's hard for Occupy to know
who they need to save from the jails.
Since CreepyDoll uses a contagion network,
you could easily strap one of these to your belt,
have it scan all of your friends continuously,
and transmit that off-site immediately.
You're constantly offloading and exfiltrating
your data so that you always know
where your friends are, which on the one hand
they lose a little bit of privacy, on the other hand
maybe they don't spend two more weeks in jail than they needed to.
And again, unless an adversary
already knows what this is
and why they care, they're probably going to
unplug it to look at it. They're not going to know
to take it off in exactly the right way
to allow them to do a cold boot.
So again, unless they're just throwing liquid nitrogen
onto random protesters, which
even, like,
you know, in Madison we had cops kill a kid
for walking while drunk, which is also known as
being in college.
But even they're not just splashing
liquid nitrogen around. We're probably pretty
safe from cold boot attacks
for a very long time, and that means
that we get all the data out we need.
Let's talk about improvements to this.
One thing is that we can scale up.
The fastest and easiest way is to shard our contagion networks.
Because contagion networks aren't
connecting to each other directly over RF,
they're all connecting to each other over their local
coffee shop's Wi-Fi, we can shard
a contagion network by having 20 nodes
in 20 random places and have 5 or 6
overlaid networks that don't actually
need to connect to each other in any physical way.
This means we can do geographical
distribution really efficiently with this.
Because yeah, eventually you're going to be
transmitting so much data that you can't
delete it off the nodes fast enough.
So when that happens, probably about 50 or 60 nodes
if you've got a well-traveled area,
then you probably want to start splitting up
your contagion networks. Each network then
just has one data-sign node, they can all
throw it into the same visualization,
and the visualization is good to a couple
terabytes at least, more if you've got better RAM.
As I mentioned, scaling the backend isn't hard,
especially because there's a great script
for Shark that lets you run on an Amazon EC2.
That means that yes, we can have
networking as a service. It's from the cloud
so it must be here to help us.
There's CouchDB
servers as well, they even run GeoCouch
which is a modification of CouchDB that I'm using
for this. It works really efficiently.
The visualization's a little bit
harder in that there's a limit to how many
nodes, a couple thousand I can draw simultaneously.
But luckily,
there are hundreds of books by game
developers for other game developers
that they don't check your game developer
cred at the door in order to buy.
And they tell us how to do these things.
Things like grouping, which actually I'm already doing
if you saw the black nodes versus white nodes.
Those are groups versus single nodes.
But we can also do things like a limited field of view
or a limited distance of view.
The standard things you see in every FPS game.
You can't see the entire way to the moon.
This will allow us to scale the visualization
pretty much as far as we need.
OpenStreetMap, of course, goes everywhere
in the world, so you can stalk a whole country
at once for just probably 10, 20,
50 thousand bucks, which
if you really, really want to be creepy
is not that big of an investment. Won't someone
think of the children?
And everything they're doing?
Every day?
If you are,
you're a bad person.
Finally,
we can add a lot of stuff to this.
How many of you guys have played with
software-defined radio since the RTL-SDR came out?
Quite a few people, actually,
for just kind of a random question.
There's these 10 to 20 dollar dongles
you can buy on eBay that allow you to sniff
software-defined radio, which means
basically everything from about, on this one,
I think about 75 megahertz,
up to a couple gigahertz.
That means you can listen to any wireless protocol,
not just Wi-Fi, for not a huge additional investment.
Put a tiny antenna in, but hey,
we're already talking about tiny antennas.
It's a tiny box.
So at that point, you can listen to anything,
whether that's stalking the goons for fun and frivolity
until you get thrown in the pool,
or messing with restaurant pagers,
or anything else you can think of,
transmitting over RF.
We can also work around encrypted Wi-Fi.
That's something trivial to do with tools like
or the other awesome attacks on wireless security.
That just gives us more ways to connect home.
At the end of the day,
if you're stalking in a city,
you don't really need it,
but it's something to keep in mind.
Finally, of course, we could do active attacks,
like the Jessica or Wi-Fi pineapple attack,
to make sure that wireless devices connect to us
and run a full man-in-the-middle attack.
We don't have to, and frankly,
it makes this a lot easier to detect
if you go, hey, I don't recognize
that weird MAC address, and I'm definitely 6,000 miles
away from that access point,
which it says I'm connected to.
But we could run it.
You could be more subtle with modifying that software.
So it's something to think about.
So finally, let's talk about mitigation.
The problem is we have to sacrifice
the things we love in order to mitigate this.
Yes, it's a Bible joke.
The leaks are unfortunately
at every single level
of the entire stack.
And I do mean every single level.
At the bottom layer, the IEEE has said that
a list of all known networks every second or two
is an acceptable way to behave
in a crowded noise space.
That's a terrible idea, right?
But that's in the protocol.
We can't ignore the protocol.
That would be a bad thing,
and the IEEE will send out their engineering thugs
to hurt us.
They have to fix this.
But unfortunately, we've said, well,
it's so convenient to walk near my apartment
and immediately reconnect to Wi-Fi
without ever having to turn on my phone.
It can automatically connect to iMessage
and download all of my new messages.
And some of them won't be from Anthony Weiner,
I'm sure.
But the IEEE is not going to be able to
promulgate a new protocol
to device manufacturers.
Hey, it's going to be less convenient
and your customers will hate it,
but you should really use this
because it's more secure.
Next.
There's also a problem with the operating system level.
A lot of mobile operating systems,
and I'm going to pick on Apple here because that's what I use,
force VPNs.
What that means is that when I connect to a new Wi-Fi
on a laptop, I can have a setting that says
turn on the VPN before
you allow any packets to go.
That is not possible to do on iOS.
Which means that
you always have those first few messages.
And those first few messages are rich with data
because before the encryption has been set up,
they're already transmitting this user agent insanity
and everything else if they're open source
or if they're open protocols.
And so the OS, too, needs to be protected.
And finally, again,
we have to change the culture.
We as developers can't be collecting random data.
I found, for instance,
an online shopping application
that for some reason transmits my
location in real time.
It's not Groupon,
it's not something that actually involves my location.
They just want to know so they can serve me
targeted ads.
And they serve all their own data over SSL
because nobody should know,
nobody should have unencrypted access
to how much that new pair of Manolo Blahnik shoes costs.
But for some reason,
everyone in the world should have unencrypted access
to what OS I'm running
and where exactly I am in the world.
That's a pretty weird tradeoff.
And it's our fault
because we've forgotten to protect our users
in addition to protecting our servers.
This is everyone's fault
and so no one's going to take responsibility
for us, right?
It's just status quo.
Right?
The status is not quo.
Those of you who like Dr. Horrible.
We cannot tolerate this level of privacy leakers.
There's one Dr. Horrible fan.
As consumers, we need to demand better.
And as developers,
we have a responsibility to the world
to do better.
One final digression.
At ShmooCon 2013,
there was a pretty heated panel
about the interaction between academics and researchers.
I've actually split both in my career.
I have an academic degree in computer science.
I'm doing an academic degree in law these days.
But I'm also just a hacker
without any academic support most of my time.
We need to be able to have a way
for the two communities to work together.
And part of that needs to be that hackers
need to find a way
anyway to stop repeating
the same mistakes over and over.
Everybody who's done a long-term research project
or development project in here
knows that you spend the first couple months doing something
and then six months later you go,
God, they already did it and I just couldn't find it.
So a couple days ago, on Tuesday,
we launched Hark, a Kickstarter for Hark.
Hark is going to be a new hacker archive
that anyone can publish to.
We're going to publish whether it's a couple tweets,
a blog post, or a formal academic paper.
We're going to have mentors
who can help you take your work to the next level.
Whether the next level for you is a new B-Science
or it's the Usenix Woot Conference,
which actually exists and is an awesome title.
We want to be able to have mentorship,
we want to be able to have promotion,
and we want to be able to have a permanent archive
so that people know that if they publish their work here
it will live beyond their own time.
Which especially as we start losing hackers
left and right is going to be a very important thing.
We want to be able to fail
better. In order to do that we need your help.
It's at thehark.net.
There's a Kickstarter you can contribute to.
Finally, thank you to all those
who have asked for comments, to Mudge for running the CFT,
and for my law school for not being hard enough
to make me actually work on law school
most of the time.
Also, I'm finishing law school in 10 more months
and I don't really know what I'm going to do next.
If you have an idea that you'd like
me to do in about 10 more months,
draw me an email. This is right on the slide.
And finally, seriously, we want to be able to fail
better and to make hackers not just
academics work, live forever.
If you too want to believe in immortality,
go to thehark.net and join us.
Thanks very much.
I think I've got about two minutes for questions.
So if I could take one or two questions
now and then you can trail me later.
IP cameras?
You certainly could do that.
This is kind of the minimum viable creepy.
Repeat the question?
Is that what you're saying?
The question was, why don't I integrate cameras?
So you can do IP cameras
and stock from IP cameras. That would totally work.
You just need a new application specific parser.
One of the O parsers.
You could also integrate a camera
directly into the device,
which would be cool, but it costs another 20 bucks
to integrate a Raspberry Pi board.
Both of those are great ideas for future work.
One other question? Yeah.
Have you thought about using Unity 3D's
client server architecture to link up
independent hackers or independent
user-gathering operations
to present a positive and
similar to what they all are?
So the question was, have I used Unity's client
server architecture to do the networking,
especially between independent hackers?
I haven't, and the reason is it's not incredibly flexible
if you're not actually building a game.
That said, the way to link them up would actually be
one layer beforehand by everybody dumping into
the same shared CouchDB and tagging.
It would be essentially the sharding of the contagion network's work.
So that capability has already been
built in, it just doesn't use the Unity networking architecture.
Everybody else come grab me,
the goons are going to rip me off stage in about 30 seconds.
Thanks very much.
